The home of the future is likely to be highly connected, but what could this
mean for your personal safety? Sophie Curtis reports

Whether it’s smart TVs, connected fridges or location-based lighting, interest is growing in appliances, fixtures, devices and electronics that integrate with the home network and let people orchestrate their lives from a single touchscreen.

However, it is also exposing people to a greater risk than ever before, as not only does it mean an attacker could now access your data, they can also take control over your physical world.

Researchers at security firm Trustwave decided to investigate these risks, after realising that more and more of the things they had in their own homes were network-connected.

In order to enable the Internet of Things at home, you need what is known as a “home automation gateway”, which sits on the network and relays commands between the homeowners’s control device – which might be a smartphone or a tablet – and the various connected appliances in their home.

The researchers tested two home automation gateways – the MIOS VeraLite and Insteon Hub – both of which allow homeowners to control “smart” home devices such as locks on doors, garage openers, appliances, lights and thermostats from anywhere in the world.

What they found was that both devices suffered from vulnerabilities that, if not fixed, could result in covert audio and video surveillance, physical access to buildings or even personal harm.

Insteon Hub

Tests revealed that the Insteon Hub was passing unencrypted data back and forth to the control device without any authentication at all. This meant that anybody who did a scan of the network would be able to detect the Insteon hub and run commands against it.

For example, a burglar could hack into the homeowner’s web-based control interface and disable alarms, unlock doors, or even access motion systems and security cameras installed on the property, that would allow a hacker to spy on the inhabitants.

Of course, the ability to unlock doors is only useful to a burglar if they know the location of the house. When you set up an Insteon hub for the first time it asks you to enter the name of your City, in order to set the time zone, and this information is stored on the device.

This, combined with that fact that many people name their devices after the street they live in or their family name, means that it is not difficult to find out where the devices are deployed, and carry out a targeted attack on a house.

VeraLite

The other home automation gateway that the researchers tested was the MIOS VeraLite system, based on Linux. The researchers discovered that there are several ways for a hacker to completely take over the device if they are on the local network, and even some ways to launch an attack from the Internet.

VeraLite provides local access to customers as a feature, meaning that they don’t have to go through the server for every transaction and every configuration or scene. This means that the consumer can turn their lights off downstairs when going to bed or turn their thermostat up, even if the Internet is down.

Trustwave found that there is no requirement for a username and password to be set up when unboxing the device, allowing anyone with access to the local network to take control of the devices connected to it.

In the case of accessing VeraLite remotely, data is passed from the home automation gateway to the control device via a “forwarding server”. This forwarding server is only protected by a firewall, meaning that anyone who can get through the firewall could theoretically access all of the VeraLite units connected to it.

This could potentially allow a hacker to gain access large numbers of VeraLite units simultaneously and carry out mass command and control, according to the researchers.

“If you’re a lock manufacturer, your product needs to go under serious consideration for security and peer review before anyone will take you seriously, and that’s as it should be,” said Daniel Crowley, managing consultant at Trustwave.

“Considering that these home automation gateways will hook up to things like door locks and alarm systems, security needs to be taken just as seriously, because we’re putting very different things at risk by connecting the physical world to the internet.”

Are you safe?

Insteon told the Telegraph that it is committed to ensuring a safe and secure experience for everyone, and takes reports of security vulnerabilities seriously. Since being alerted to the vulnerabilities by Trustwave, it has launched a new version of the Insteon Hub which includes authentication. However, it still does not encrypt data.

“If a hacker is able to breach the home network, it is up to individual devices to provide the next line of defense. This defense includes customers setting up authentication (strong username and password combinations) and keeping their home IP addresses private,” said Joe Dada, CEO and Joe Gerber, President & COO of Insteon, in a statement.

“Clearly, with the advancement of technology, new benefits and risks often surround the adoption of products. We believe the benefit and convenience of home automation technology outweigh the risks. Having said that, we will continue to strive to be the best in our industry – this means offering our customers the best products with the highest level of security and protection available, and continuous improvement of those products.”

Meanwhile, MIOS said that putting a password on a local network is not adding security, because passwords are broadcast unencrypted over the home network anyway, so any hacker who has access to your home network can easily see the password.

“The only true protection is having a secure wi-fi network with the most current WPA2 encryption (or whatever comes next). Every device on your network is vulnerable if someone hacks the Wi-Fi network, your PC, your NAS device, etc.,” said Lew Brown, EVP Sales, Marketing and Business Development at MIOS.

“So yes, like all other network devices in your home, they are reliant on the end consumer not leaving their wi-fi network unencrypted to be safe. And yes if someone actually goes on your front lawn and hacks you wi-fi network, all devices sitting locally on that network are vulnerable.”

He also denied that it was possible for hackers to take control of other people’s VeraLites, claiming that the devices use HTTPS (Hypertext Transfer Protocol Secure), which is what banks and all secure online transactions use.

Hacking the Internet of Things

Whether or not these particular devices are vulnerable to attack, the point remains that introducing connected devices opens up new security risks, and most people do not have the knowledge or awareness to judge whether a product is secure.

It's worth pointing out that, currently, a secure WiFi network will keep these devices secure too. The Telegraph has not been able to identify anyone who has been a victim of domestic hacking, in part because use is still quite limited, and because early adopters are likely to be security savvy.

And the threat does not disappear once you leave the home. One only has to look at the £50 million super yacht that was hijacked as it sailed from Monaco to Rhodes on the Mediterranean Sea, because researchers overrode its GPS signals; or the computer scientist who discovered the unique algorithm used to start luxury cars including Porsches, Audis, Bentleys and Lamborghinis.

“As technology becomes more entwined with the physical world, the consequences of security failure escalate,” said Forrester analyst Andrew Rose in a recent research report.

“As the Internet of Things becomes embedded in everyday life, reaching through industrial control to personal devices and infrastructure such as transport and power, these scenarios become more complex and have graver consequences.”

People who connect up their homes to the internet are ultimately putting their safety in the hands of whichever company provides the technology. While hooking up a few lightbulbs or a washing machine may not have any serious consequences, hooking up a front door lock might.

Until this technology is proven to be safe, it seems best to err on the side of caution, and keep at least the keys to the kingdom in your trouser pocket.